TechSync
Start free

Legal

Data Processing Addendum

Version 3.2 · Last updated February 11, 2026 · Incorporated by reference into our Terms of Service

This DPA is pre-signed by TechSync and takes effect automatically for all Business and Enterprise customers. A counter-signed copy is available on request from privacy@techsync.io. Customers on Team and Starter plans who require a counter-signed DPA for procurement purposes can request one at no cost.

1. Roles of the parties

Customer is the “Controller” of Customer Content; TechSync is the “Processor.” Where TechSync is itself a Controller of limited data (account data, billing data, service logs), TechSync’s processing of that data is governed by our Privacy Policy.

2. Scope and duration

TechSync will process Customer Content only for the purpose of providing the Service and only on documented instructions from Customer (the Terms of Service, the account admin settings, and any written instructions we mutually agree to). Processing continues until 30 days after workspace cancellation, at which point Customer Content is hard-deleted.

3. Security measures

  • Encryption at rest using AES-256; encryption in transit using TLS 1.2 or higher.
  • Logical isolation between tenant workspaces in our primary Postgres cluster.
  • SOC 2 Type II audited annually; report available under NDA.
  • Quarterly external penetration testing by NCC Group (last test: January 2026).
  • Background checks and confidentiality agreements for all engineering staff.
  • Least-privilege access policy with production access limited to the Infra team (4 people).
  • Production change control via signed git commits and two-person review.

4. Subprocessors

Customer authorises TechSync to engage the subprocessors listed at /legal/subprocessors. TechSync will provide at least 30 days’ notice of any material change to the subprocessor list, and Customer may object in writing. If an objection cannot be resolved, Customer may terminate the affected service for convenience.

5. Data subject requests

TechSync will, to the extent legally permitted, promptly notify Customer of any data subject request that relates to Customer Content and will assist Customer in responding. Most data subject requests can be fulfilled directly from workspace admin tools; where that is not sufficient, contact privacy@techsync.io.

6. Breach notification

TechSync will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer Content. Notifications will include the nature of the breach, likely consequences, measures taken, and a point of contact.

7. International transfers

Where Customer Content is transferred out of the UK/EEA, the transfer is covered by the UK International Data Transfer Addendum and/or the EU Standard Contractual Clauses (Module 2 or 3 as applicable), in each case as published by the relevant authority and as incorporated by reference.

8. Refunds

This section summarises our refund stance (the specifics that Sync, our support agent, is instructed to follow). Double-charges are refunded within 5 business days of written confirmation. Accidental annual upgrades made in the first 7 days are reversed on request. Otherwise, pro-rata refunds are discretionary and are handled only by our VP Support. Sync is explicitly instructed not to promise a refund on its own.

9. Deletion and return

Upon request, TechSync will provide Customer with a JSON export of all Customer Content. Upon workspace cancellation, Customer has 30 days to export; after that, all Customer Content is hard-deleted from primary and backup stores within the next 35 days.